Security: Protecting Privacy without Prying

Cyber criminals had a good year. They stole more than twice as many data records in 2015 than the year before. As of November 2015, 153 million records have been stolen in 166 breaches, according to the Privacy Rights Clearinghouse. That’s an unfathomable amount of financial information, personal identifiable information, and protected health information.

Clearly, the security industry needs to do a better job of protecting private data that belongs to individuals and businesses. That’s why 76 percent of U.S. executives are more concerned about cyber threats this year, according to PwC.

As cybersecurity becomes a top priority for business and government, there remains serious debate about whether the right to data privacy must be sacrificed to provide adequate protection. Surveillance and eavesdropping on Internet communications are commonplace, as underscored by the renewal of Section 215 of the Patriot (News – Alert) Act.

Yet most people are simply unaware that their emails, texts, web browsing, and other Internet communications are subject to inspection by the government and business entities. With no real choice in the matter, they have traded away their data privacy for some measure of protection against identity theft and cybercrime. That was clear when John Oliver of the late-night news satire show Last Week Tonight interviewed Edward Snowden.

Today’s security protects by prying.

The security technologies currently used by organizations to protect against cyber threats must inspect content – essentially read your email – to determine if there is a potential threat. Next-generation firewalls, intrusion prevention systems, and malware sandboxes view clear-text network traffic to match it with known malware signatures and identify threats by checking IP and domain names against reputation lists and blacklists.

This approach identifies only threats that have been seen before; that means someone always needs to be the first victim. When a security product’s signatures and reputation list finally catch up, the attackers simply change their tactics and evade detection once again. The attackers always seem to be one step ahead.

Data privacy can be violated even when communications are encrypted. SSL is commonly used to encrypt web traffic, email, and other communications. Organizations can use web security tools that open up SSL to inspect the content. Decrypting traffic for inspection may take extra time and be illegal in some countries, but for many, the protection is worth the performance penalty and loss of privacy rights.

Given that 2015 is expected to break all records for data breaches, clearly we have sacrificed our data privacy for very little return.

We can have it both ways.

It doesn’t have to be this way. We can have better protection from cyberthreats without violating the privacy of individuals and businesses.

It simply requires new thinking.

The key is to focus on attack behaviors, not on signatures that match the malware or exploit it. Attackers must change their tactics to evade signature-based security, but they cannot change their fundamental behaviors if they want to successfully spy, spread, and steal in the network.

A new class of cybersecurity has emerged, and it identifies these malicious attack behaviors. It relies on a unique combination of data science, machine learning, and behavioral analysis to detect advanced cyberthreats without compromising data privacy.

Unlike traditional perimeter security, it doesn’t matter whether attackers change their malware ever so slightly. They can’t evade a behavior-based system the way they trick a signature-based system. It doesn’t matter whether they use SSL to encrypt their traffic or create their own uncrackable encryption scheme because identifying the threat via behavior doesn’t require seeing content.

It doesn’t matter whether they hide their attack communications in widely used network protocols, hide in browser tabs, or blend into everyday applications like Gmail. Nor can attackers become anonymous by going into the Dark Web with the Onion Router. With data science, machine learning and behavioral analysis, subtle changes in the flow of attack communications reveal their malicious actions.

Because this new class of cybersecurity identifies and correlates malicious behaviors in real time, it detects advanced persistent threats in every phase of the attack kill chain – command and control, internal reconnaissance, lateral movement, and data exfiltration – rather than allowing attackers to have free rein for an average of 205 days. This enables organizations to reduce the dwell time of the attacker and the incidence of data theft.

Advanced cyberattacks can be stopped before lasting damage is done. And we can be better protected without forfeiting our right to privacy as part of the bargain.